IBM Support

IV57419: JGSS SHOULD USE DEFAULT_REALM BEFORE GUESSING THE REALM FROM HOSTNAME.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message, as reported by customer:
The test environment is mapping multiple totally different
hostnames into one realm.
In this case, krb config file is not used, and the default
realm is set by system property.
IBM's implementation failed in this scenario with exception
UNKNOWN_SERVER.

Stack Trace, if applicable:
[KRB_DBG_TGS] TgsCredentials:main:   >>> Caught exception in
getting TGS cred:
UNKNOWN_SERVER:mongodb/mdb07.guard.swg.usma.ibm.com@GUARD.SWG.US
MA.IBM.COM
com.ibm.security.krb5.KrbException, status code: 7
    message:
UNKNOWN_SERVER:mongodb/mdb07.guard.swg.usma.ibm.com@GUARD.SWG.US
MA.IBM.COM
    at com.ibm.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:32)
    at
com.ibm.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:12)
    at
com.ibm.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:1
10)
    at com.ibm.security.krb5.internal.s.e(s.java:53)
    at com.ibm.security.krb5.internal.s.d(s.java:121)
    at
com.ibm.security.krb5.Credentials.acquireSvcCreds(Credentials.ja
va:68)
    at com.ibm.security.jgss.mech.krb5.n.a(n.java:261)
    at
com.ibm.security.jgss.mech.krb5.n.initSecContext(n.java:128)
    at
com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
pl.java:165)
    at
com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
pl.java:145)
    at
com.ibm.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Gs
sKrb5Client.java:174)
    at
com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:48
6)
    at com.mongodb.DBPort.authenticate(DBPort.java:322)
    at com.mongodb.DBPort.checkAuth(DBPort.java:333)
    at
com.mongodb.DBTCPConnector.innerCall(DBTCPConnector.java:243)
    at com.mongodb.DBTCPConnector.call(DBTCPConnector.java:216)
    at
com.mongodb.DBApiLayer$MyCollection.__find(DBApiLayer.java:288)
    at
com.mongodb.DBApiLayer$MyCollection.__find(DBApiLayer.java:273)
    at com.mongodb.DBCollection.findOne(DBCollection.java:728)

Other Error Information, as reported by customer:
N/A

Local fix

  • N/A

Problem summary

  • JGSS should use default_realm before guessing the realm from
hostname.

ERROR DESCRIPTION:
The test environment is mapping multiple totally different
hostnames into one realm.
In this case, krb config file is not used, and the default realm
is set by system property.
IBM's implementation failed in this scenario with exception
UNKNOWN_SERVER.

[KRB_DBG_TGS] TgsCredentials:main:   >>> Caught exception in
getting TGS cred: UNKNOWN_SERVER:<SPN>
com.ibm.security.krb5.KrbException, status code: 7
    message: UNKNOWN_SERVER:<SPN>
    at com.ibm.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:32)
    at
com.ibm.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:12)
    at
com.ibm.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:1
10)
    at com.ibm.security.krb5.internal.s.e(s.java:53)
    at com.ibm.security.krb5.internal.s.d(s.java:121)
    at
com.ibm.security.krb5.Credentials.acquireSvcCreds(Credentials.ja
va:68)
    at com.ibm.security.jgss.mech.krb5.n.a(n.java:261)
    at
com.ibm.security.jgss.mech.krb5.n.initSecContext(n.java:128)
    at
com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
pl.java:165)
    at
com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
pl.java:145)
    at
com.ibm.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Gs
sKrb5Client.java:174)

Problem conclusion

  • JGSS implementation checks the default realm specified by system
 property before guessing the realm from host information.

The associated Austin CMVC defect is 115410.
The associated Hursley CMVC defect is 202244.
The associated RTC Problem Report is 63103.

The fix was delivered for 150_SR16_FP7, 160_SR16FP1, 626_SR8FP1,
 170_SR7FP1, and 727_SR1FP1.


The fix will be available in ibmjgssprovider.jar (level
20140507b).

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV57419
    • 

  • Reported component name
    TIV JAVA GSS-AP
    • 

  • Reported component ID
    TIVSECJGS
    • 

  • Reported release
    100
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2014-03-25
    • 

  • Closed date
    2014-05-20
    • 

  • Last modified date
    2014-05-28
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TIV JAVA GSS-AP
    • 

  • Fixed component ID
    TIVSECJGS
    • 



Applicable component levels


    

  • R100  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL44","label":"JGSS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            28 May 2014
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback